[casual_games] Portal Sales

[Chuck Walbourn]

> This would imply MS is OK with games being installed to the \user\[username]\AppData\

> area.  Games (and gee, trojans and spyware) do run just fine out of there, but this kind of

> defeats the purpose of LUA/UAC, and really makes the whole thing a bit of a farce.



The primary purpose of LUA/UAC is to protect the system from being hijacked by almost every single executable run on existing Windows machines. A fully standard-user deployment is fine if the game it is installing itself runs as a standard-user. The only security threat here is to the local per-user files, not the system integrity. If one copy of the game is hijacked, then other users are not directly affected.



The basic premise of UAC/LUA is that in worst case you can delete the account and all associated data files, create a new account and your system is clean. Today if your system is compromised while running as admin, you have no way to ensure you are clean short of "format c:". It makes no guarntees about the security of the files the current user can read/write. It just protects other user's per-user files, system files, and protected shared files.



Now you as a developer don't want your application to result in the loss of user data. Having your install elevate to place your title's files in a protected area means your files are more secure than if they were accessible. It is a trade-off of is having your exes/dll protected from standard user-level malware vs. requiring admin rights to install the game.




>Services also have the ability to perform updates without triggering UAC or

>having LUA problems, so it is likely we will go that route in the long run

>(our current Vista solution installs and update games for LUA users without

>triggering UAC, but if we make any updates to our core client the updater

>does have to ask for UAC permission which we feel is dicey as not all users

>will automatically understand what they are being asked).


In general we do not recommend that everyone start writing and installing SYSTEM-level services. Writing a hardened service is a big task, although Windows Vista does provide some new functionality to help isolate them by giving them explicit permissions. For some kinds of operations, such as anti-cheat scans that expect to have access to every single process on the machine, a service is really the only way to do it. Lots of services increase the attack surface area and slow performance of the system.

For simple file updating, you don't actually need to elevate. There are patching technologies that work automatically from standard user. Elevating to update is fine if it only happens a few times over the life of the application. See the DirectX SDK Article "Patching Game Software in Windows XP and Windows Vista."

The challenge is constantly patching games (MMOs usually). For those titles, it is perfectly accpetable to open up a subdirectory of your game for all users and store updated files there, although you should take extra precautions about your assumed trust of those files. We are working on a whitepaper article for the DirectX SDK that details this.

-Chuck Walbourn
SDE, Game Technology Group